deps: bump github.com/cert-manager/cert-manager from 1.19.3 to 1.20.3

[dependabot]

Bumps github.com/cert-manager/cert-manager from 1.19.3 to 1.20.3.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

• Security (HIGH): Remove Challenge create and Order create, patch, update verbs from the cert-manager-edit aggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#8940, @​wallrj-cyberark)
• Remove issuer owner reference from challenges blocking challenge garbage collection (#8759, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go to 1.26.3, other deps to fix several govulncheck issues (#8789, @​SgtCoDFish)
• Update Go to v1.26.4 to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#8926, @​wallrj-cyberark)

v1.20.2

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies to address reported vulnerabilities.

Changes by Kind

Bug or Regression

• Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#8665, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#8704, @​erikgb)
• Bump go to 1.26.2 (#8703, @​erikgb)

v1.20.1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression

• Fixed duplicate parentRef bug when both issuer config and annotations are present. (#8658, @​hjoshi123)

... (truncated)

Commits

• 1e1d16d Merge pull request #8940 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
• 6bda472 Restrict Challenge and Order verbs in aggregate edit ClusterRole
• 3428d65 Merge pull request #8926 from wallrj-cyberark/update-go-1.26.4-release-1.20
• b352e55 [release-1.20] Update Go to v1.26.4
• 725a401 Merge pull request #8899 from cert-manager/renovate/release-1.20-base-images
• 29ae077 chore(deps): update base images
• 0bca8fd Merge pull request #8817 from cert-manager/renovate/release-1.20-go-golang.or...
• 15988af chore(deps): update module golang.org/x/net to v0.55.0 [security]
• 27414f9 Merge pull request #8818 from cert-manager/renovate/release-1.20-go-golang.or...
• 136b418 fix(deps): update module golang.org/x/crypto to v0.52.0 [security]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)